ICMP (Fragmentation needed) Between Firewall and LTM

Hello Abed

The issue you're experiencing with ICMP "Fragmentation Needed" messages causing a loop between your Fortinet firewall and the F5 LTM is indeed a challenging one but not uncommon in complex network setups. The problem appears to be related to Path MTU Discovery (PMTUD) and how the F5 LTM handles ICMP "Fragmentation Needed" messages.

Path MTU Discovery (PMTUD) is a mechanism used to determine the maximum transmission unit (MTU) size on the path between two IP hosts, ensuring that IP packets are transmitted without the need for fragmentation. When a packet exceeds the MTU size, an ICMP "Fragmentation Needed" message is sent back to the sender, indicating that the packet needs to be fragmented or resized to fit the MTU.

In your case, it seems that the F5 LTM is not properly handling these ICMP messages and is instead sending them back to the firewall, causing a loop. This can happen if the LTM's routing table or PMTUD configuration is not properly set up to handle these messages.

Enable PMTUD on F5 LTM

tmsh modify sys db tm.pmtud.enable value true

Check and Adjust MTU Settings

tmsh list net interface all-properties

tmsh modify net interface <interface_name> mtu <mtu_value>  -- Adjust the MTU settings if necessary

Update Routing Table

tmsh list net route
tmsh modify net route <route_name> gw <gateway_ip>

Adjust TCP MSS:

tmsh modify sys db tcp.mss value 1460

On Fortinet:

config system interface
edit <interface_name>
set tcp-mss <mss_value>
next
end

Review Relevant Articles: 

https://my.f5.com/manage/s/article/K000138230 

https://my.f5.com/manage/s/article/K13948